How do experts see the claim that banks should remove password character restrictions?



When creating a net account such as a bank account, restrictions such as “up to 6 characters for the password” are imposed, and there are people who have become worried that “there is security with such a small number of characters?” Sure. Security expert Troy Hunt, who developed the service ' Have I been pwned? '

Troy Hunt: Banks, Arbitrary Password Restrictions and Why They Don't Matter

The limit on the number of characters in a password varies depending on the bank. There are places where the upper limit is 5 characters and there are places where it is OK up to 16 characters. Many people are worried about passwords that are too short, and many people think it is better to set passwords as long as possible. But Hunt says it is “not bad” about the bank password limit.

Financial institutions such as banks that handle customer assets have a great advantage of hijacking accounts, so there is a high possibility that a malicious person will launch a brute force attack . Therefore, the bank is taking measures to quickly lock accounts that are suspected of being brute force attacked by someone.

Many financial institutions have taken measures to lock an account after failing to enter a password about three times, and then open an account only after strict identity verification. In other words, even if the upper limit of the password is only 5 characters, there are 100,000 combinations in total from “00000” to “99999”, of which only two failures are allowed. Mr. Hunt points out that it is very unlikely that an attacker who does not know the password will accidentally enter the correct password.


Soumil Kumar

Another problem that Hunt points out is that 'banks usually don't use user names or email addresses as user IDs as they are.' Since the customer registration number is generally used as the user name, the attacker must also obtain this number. Of course, if someone cares about it, you can't get the number, but it is very difficult to steal a specific user's customer registration number and get a password.

Hunt also pointed out that 'the authentication process and security measures used by banks are not just the input of account names and passwords.' Legitimate users may feel that they can access their accounts simply by entering a username and password, but Mr. Hunt also talked to bank security officials that he actually Using a very sophisticated method, banks are protecting their financial assets.

The environment and behavior patterns when a user accesses an account, various patterns to detect anomalies are used by banks, and there seems to be a system that goes beyond qualification confirmation by simple string matching. Banks do not disclose the actual security system to the public, but Hunt says that “hidden security features” contribute significantly to the bank's security system.

In addition, banks and other financial institutions are increasingly adopting additional authentication processes in key procedures related to money management. The bank that Mr. Hunt uses is also performing SMS authentication each time a new remittance destination is set. Also, if a customer's financial assets are damaged, many banks will compensate the amount lost from the account, such as canceling fraudulent transfers. As mentioned above, Mr. Hunt says that the bank authentication process is very different from simply logging in with string authentication, and it is not necessary to talk like a general web service.



On the security side, while admitting that there is no problem with restricting the number of characters in the password, Mr. Hunt believes that “the bank should remove the restriction on the number of characters in the password”. Although people who are familiar with security know that the password itself is not important, the general people feel uneasy if the number of characters in the password is small, in short, `` It does not look good '' Mr. Hunt Pointed out.

In addition, some password managers may fail to authenticate because the web service places a character limit, and the character limit may cause functional problems. In the end, Mr. Hunt pointed out that the bank should remove the password limit, but said that even if the password string limit is set low, it is not necessary to stop using the bank by itself. It was.

by stevepb

in Security, Posted by log1h_ik